1

I want to run an automatic scan on a web application made with Angular and JSNode. On this one I have access to different types of accounts. On ZAP OWASP I can select the POST request, it detects the parameters in the request, I show it which parameter corresponds to the login and password then I inform it of the different accounts I have at my disposal (login / password). Thanks to this, it has no problem to attack my site even if the token expires.

Recently, I switched to Burp Suite thanks to the trial version to do some comparative tests. However, I can't reproduce this mechanism so that it authenticates itself during the automatic scan. Could someone advise me? I found some pages that seem to describe this mechanism but my requests are not the same and I'm a bit in trouble (For example, I can't find a deauthentication request).

Thank you in advance for your advice! I hope this time I've been clear enough ;) (yes this is my second post after the last one was blocked)

What I found :

William
  • 13
  • 3

1 Answers1

0

Recently portswigger has added in the functionality to record the authentication process within burpsuite. Burpsuite will then be able to authenticate if its current session expires or it becomes unauthenticated. This functionality is available in version 2020.9.2 and onwards.

Source: https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins

Is this the functionality you are searching for?

transmission
  • 11
  • 3